I am currently looking into protecting a website against clickjacking. German Wikipedia gives the following best practice example to do so:
<style> html{display : none ; } </style>
<script>
if( self == top ) {
document.documentElement.style.display = 'block' ;
} else {
top.location = self.location ;
}
</script>
I, however, was wondering, what if the client has javascript disabled? Then, he will NOT have the page displayed. We have the requirement to ship a fully functional none-javascript version of the app.
Any recommendation to achieve that?
You can use
<script>
if (self !== top) {
document.documentElement.style.display = 'none';
top.location = self.location;
}
</script>
to still hide the page in case the navigation attempt is successfully attacked. You could also show a message along the lines of self.location.href + " cannot be displayed in a frame." instead.
Of course, this will not prevent your page from being shown in a frame when JavaScript is disabled (maybe not even globally but just in your frame), so you should always send the respective X-Frame-Options header alongside.